Government Data Wiped by Insider Hackers in OPEXUS Security Breach
Two convicted hackers deleted 33 federal databases in a shocking insider breach at OPEXUS, exposing major flaws in access control and vetting.
Admin By Request EMEA
LEAST PRIVILEGE PRINCIPLES, JUST-IN-TIME ELEVATION
The world’s first SaaS EPM solution, now in version 8, has achieved multi million installs globally and is trusted by many of the world’s largest and well-know brands. With an unrivaled security record and support for Windows, Mac and Linux endpoints, no other Local Admin rights solution is as quick to deploy, easy to use and affordable to purchase.
Why Endpoint Privilege Management?
Full feature, non-expiring Free tier (Free Plan)
Per Process or Session elevation modes with or without approval
Elevation & sub process blocking
Lightweight and low resource agent
OPSWAT multi engine AV protection as standard
Machine Learning & AI Approval modes
Endpoint Privilege Management in action
Endpoint Privilege Manager: Popular Use Cases
Explore the five most common Admin Rights ‘User Personas’ to see which specific use cases match your requirements.
SHADO
SCENARIO
- Shadow IT: was general annoyance, now major security challenge.
- More technically savvy staff are using their own PAM/EPM identity access to ‘help out’ colleagues bypassing IT.
- Customers using solutions such as Entra ID find it difficult to limit physical device logon rights to specific users/teams.
SOLUTION
- ‘Fuses’ privilege elevation capable users to endpoint hardware.
- Enable secure non owner bypass for emergencies (PIN codes).
- Rapid ‘disowning’ kill switch
- Log ownership of hardware over time to record ‘provenance’
ROBO
SCENARIO
- Found in industrial engineering, military, manufacturing & energy sectors(including nuclear power stations).
- Legacy software + I/O control + machinery.
- Fully unattended elevation required(no interactive prompting).
SOLUTION
- Removal of Admin Rights, enabling of UAC if disabled.
- Policy based single app elevation control based on file hash, read only file/network location or vendor certificates.
- Safe suppression of elevation prompting for automation.
- Rigorous application vetting process.
- Audit logging for both online or offline operation.
POP
SCENARIO
- Most common type of elevation use case.
- Unpredictable, ‘pop up’ disruption from staff requesting admin.
- Usually urgent & not processed fast enough.
- Resource intensive for helpdesk to grant.
- Usually full is admin granted – keys to the car.
SOLUTION
- Simple, easy to execute approval workflows.
- Harness AI to better gauge suitability (app. taxonomy).
- Single app approval in sand boxed process.
- Highly responsive & reliable rights delivery as time critical.
- Mobile app approval.
- Offline request handling (eg. PIN codes).
- Full audit trail.
HERO
SCENARIO
- Helpdesk Staff have full / global Local Admin Rights.
- Endpoint security restrictions = barriers for Helpdesk operations.
- Use of full admin rights / disabling restrictions solve user issues.
- Helpdesk staff can be accidental enablers of Ransomware infections.
SOLUTION
- Removal of permanent admin rights from ALL helpdesk staff.
- Just In Time / Just Enough admin rights dynamic policy assignment.
- Tighter controls of what / where helpdesk team can elevate.
- Real time multi engine malware reputation checking.
- Full audit logging of helpdesk activities for compliance.
WHIZ
SCENARIO
- Highest risk profile. Developers need to elevate multiple applications and cannot stop and wait for approvals.
- This group of users is the most likely to unintentionally elevate something malicious, AND where infection is most damaging (online systems data breach, I.P. theft etc.
- Developers tend to be the last people to have their admin rights revoked.
SOLUTION
- Developers are demanding users that suit time-based admin (sessions) vs per app elevation control.
- Configurable, visible countdown time.
- Additional reputation checking also extremely helpful here ‘in session.
- Admin Rights experience should be as ‘humane’ and as frictionless as possible whilst still being totally safe.
- Above all, developers should be happy with whatever solution you implement. Start ‘softly’ to maximize acceptance.
OOPS
SCENARIO
- Users / Computers have become un-registered from AD / Entra ID due to technical issue or auto-unbind policies for extended duration away.
- Profile on users computer has become corrupted / something preventing user from logging in (forgot password).
- MS LAPS is not available / not configured or issues due to computer off domain.
SOLUTION
- Portal Admin with correct privileges can issue the user a one time use Break Glass account.
- Account is time limited, full local admin and does not require AD/Entra ID join.
- Can rescue dire situation which previously would have required a complete reset.
- Feature built in to endpoint agent from day 1, does not need any configuration / setup.
- Available on Windows Workstation, Windows Server and Mac agents.
See Each Persona in Action on our YouTube Channel!
COMPREHENSIVE | SECURE | INTEGRATED
Navigate the remote work landscape with confidence: leverage familiar approval flows and features to enable secure, browser-based connections to workstations, servers, and network devices, and provide remote support for end users.
Why Secure Remote Access?
Single solution for User, Infrastructure or Vendor access
Same agent as EPM solution (unified agent)
Approval and MFA options for all remote access requests
Full auditing and Screen recording as standard
API with Integrations (Including ServiceNow, Jira)
No management software or VPNs required
Secure Remote Access in action
Explore five key use cases and capabilities:
User Initiated Remote Support Screenshare
SCENARIO
- Many Remote Support solutions have little or no identity management (rely on access codes).
- Free & portable remote access applications difficult to prevent proliferation.
- Users install ‘personal’ free versions to enable remote access to work system from home.
- Impossible to know who has access to what at any time.
SOLUTION
- ‘Deny / block all user installable solutions.
- Require Enterprise MFA for all access.
- 100% secure browser (plugin free) solutions (avoids legacy / infected control software).
- Implement centralised approval, screen recording, auditing.
- Invest in integrations with core support & SIEM systems. (JIRA, ServiceNow, Splunk, MS Sentinel etc).
Helpdesk Initiated Remote Support Screenshare
SCENARIO
- The dreaded ‘one more thing’ follow up call.
- New issue, new ticket, new process, new friction.
- New support agent, unfamiliar with user’s environment.
- These are the lingering & underlying issues which are usually annoying and productivity sapping.
SOLUTION
- Enable frictionless & secure same agent rapid ‘ping back’ for the quick win.
- Huge productivity gains in solving ‘baked in’ problems.
- Quickest way to resolve tricky follow ups before they become part of accepted ‘normal’ and adopted by other users.
Unattended Remote Access
SCENARIO
- Users will usually only tolerate a small amount of time (5 mins) of having to watch someone work a problem before them become impatient.
- Shared remote access that requires the user to be in attendance should be for quick fix or brief recon only.
- Techies will generally not be at their creative best when they know someone is watching them / they are being pressurised to resolve.
SOLUTION
- Once it’s established this will not be a quick fix, further investigations should be performed without inconveniencing the user, switching to SRA Unattended Access.
- This can happen at a time that best suits both the user and the technician – access can be on demand or with approval required.
- Reboots, re-installs, patching, extended debug, log analysis can all be done in plenty of time, with zero stress.
- With a ‘private’ environment to experiment and prove / disprove theories, unattended access is more likely to result in a successful fix.
Agentless remote access to infrastructure
SCENARIO
- A user problem on an endpoint might not always be WITH the endpoint.
- Connected systems / infrastructure might likely be the cause.
- Devices / systems might not be running / capable of running agents.
- Enabling access to these systems ‘just for a look’ is hard to justify and time consuming to setup and audit.
- All of this creates friction and the likelihood of ‘giving up.
SOLUTION
- Using SRA Unattended Access ‘On Premises Gateway’ (OPGW) enables easy, secure, fully audited access to any discovered device that runs standard remote access protocols (RDP, SSH & VNC).
- No limit on the number of OPGWs in your ABR environment.
- Access can be automatic, or with approval workflow enabled.
- MFA supported on access to all devices.
Vendor Access to provide controlled access to third parties
SCENARIO
- Techs will always strive to want to fix problems themselves, without help.
- Granting external users access to internal resources can be a painful, time-consuming process.
- Therefore, there is kudos to gain, and administrative work to avoid in attempting to solve problems internally.
- However, as the more time invested, the harder it becomes to accept that external help is needed after all.
- Meanwhile the problem grows bigger, more disruptive, more expensive consequences.
SOLUTION
- Enabling vendors & contractor access should be frictionless. As easy as adding them to a portal and assigning them assets to work on.
- Credential free access, with approval, screen recording, perhaps one time only. No requirement to add them multiple internal systems / directories.
- No need to delay requesting outside involvement as there is no friction to set them up. Problems will be fixed quicker, before they get worse / more expensive to fix.
- Less contractor time is needed, less impact on business, all without ‘residue’.
Meet Key EMEA Personnel
